From owner-freebsd-security  Mon Dec  9 21:21:48 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id VAA12326
          for security-outgoing; Mon, 9 Dec 1996 21:21:48 -0800 (PST)
Received: from sunrise.gv.ssi1.com (root@sunrise.gv.ssi1.com [146.252.44.191])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id VAA12318
          for <freebsd-security@FreeBSD.ORG>; Mon, 9 Dec 1996 21:21:45 -0800 (PST)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194])
          by sunrise.gv.ssi1.com (8.8.4/8.8.4) with ESMTP
	  id VAA04522; Mon, 9 Dec 1996 21:21:41 -0800 (PST)
Received: (from gdonl@localhost)
          by salsa.gv.ssi1.com (8.8.4/8.8.4)
	  id VAA00670; Mon, 9 Dec 1996 21:21:40 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199612100521.VAA00670@salsa.gv.ssi1.com>
Date: Mon, 9 Dec 1996 21:21:40 -0800
In-Reply-To: jc@irbs.com (John Capo)
       "Re: L0pht Advisory: modstat (fwd)" (Dec  9,  7:02pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: jc@irbs.com (John Capo), freebsd-security@FreeBSD.ORG
Subject: Re: L0pht Advisory: modstat (fwd)
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Dec 9,  7:02pm, John Capo wrote:
} Subject: Re: L0pht Advisory: modstat (fwd)
} 
} Modstat does not need to be setgid kmem.  Perhaps this is left over
} from when groveled around in /dev/kmem.

It looks to me like lkmcioctl() is somewhat inconsistent about the
module name length, and isn't paranoid enough about NUL termination.
The attach patch allows (MAXLKMNAME-1) characters in the name, not
including the terminating NUL.

Something else to be aware of is that if you load a module with a long
enough name, you can't unload it by name.

*** kern_lkm.c-	Tue Oct 22 04:00:58 1996
--- kern_lkm.c	Mon Dec  9 20:46:39 1996
***************
*** 383,389 ****
  			 * Copy name and lookup id from all loaded
  			 * modules.  May fail.
  			 */
! 		 	err =copyinstr(unloadp->name, istr, MAXLKMNAME-1, NULL);
  		 	if (err)
  				break;
  
--- 383,389 ----
  			 * Copy name and lookup id from all loaded
  			 * modules.  May fail.
  			 */
! 		 	err =copyinstr(unloadp->name, istr, MAXLKMNAME, NULL);
  		 	if (err)
  				break;
  
***************
*** 436,441 ****
--- 436,442 ----
  			 * modules.
  			 */
  		 	copystr(statp->name, istr, MAXLKMNAME-1, NULL);
+ 			istr[MAXLKMNAME-1] = '\0';
  			/*
  			 * look up id...
  			 */
***************
*** 480,487 ****
  		statp->ver	= curp->private.lkm_any->lkm_ver;
  		copystr(curp->private.lkm_any->lkm_name,
  			  statp->name,
! 			  MAXLKMNAME - 2,
  			  NULL);
  
  		break;
  
--- 481,489 ----
  		statp->ver	= curp->private.lkm_any->lkm_ver;
  		copystr(curp->private.lkm_any->lkm_name,
  			  statp->name,
! 			  MAXLKMNAME - 1,
  			  NULL);
+ 		statp->name[MAXLKMNAME-1] = '\0';
  
  		break;
  

			---  Truck